b'      Department of Homeland Security\n\n\n\n\n            U.S. Citizenship and Immigration \n\n              Services\' Laptop Safeguards \n\n                  Need Improvements\n\n\n\n\n\nOIG-12-83                                        May 2012\n\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                       May 4, 2012\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of the U.S. Citizenship and\nImmigration Services program to safeguard its laptops. This report is based on\ninterviews with employees and officials of relevant agencies and institutions, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                      Frank Deffer\n                                      Assistant Inspector General\n                                      Information Technology Audits\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2\n\n\nResults of Audit ...................................................................................................................3\n\n\n     USCIS Needs To Improve Its Laptop Inventory Management Process ........................3\n\n     Recommendations..........................................................................................................5\n\n     Management Comments and OIG Analysis ..................................................................5\n\n\n     USCIS Needs To Improve Its Laptop Configuration Management Process .................6\n\n     Recommendations..........................................................................................................9\n\n     Management Comments and OIG Analysis ..................................................................9\n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................11\n\n     Appendix B:           Management Comments to the Draft Report .......................................13\n\n     Appendix C:           Statistical Analysis of USCIS Laptops ................................................16\n\n     Appendix D:           Major Contributors to this Report........................................................17\n\n     Appendix E:           Report Distribution ..............................................................................18\n\n\nAbbreviations\n     CIO                                    Chief Information Officer\n\n     DHS                                    Department of Homeland Security\n\n     Directive 4300A                        DHS Sensitive Systems Policy Directive 4300A\n\n     OIG                                    Office of Inspector General\n\n     OIT                                    Office of Information Technology\n\n     SAMS                                   Sunflower Asset Management System\n\n     WSUS                                   Windows Server Update Services\n\n     USCIS                                  U.S. Citizenship and Immigration Services\n\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                    We conducted an audit of laptop security at U.S. Citizenship and\n                    Immigration Services (USCIS). Our audit objective was to\n                    determine whether USCIS has implemented an effective program\n                    to safeguard its laptop computers and the information they contain.\n\n                    We reviewed inventory information and performed onsite\n                    inspections in USCIS offices in Washington, DC, and in a\n                    contractor\xe2\x80\x99s New Jersey shipping facility. We also interviewed\n                    departmental staff and examined the operating systems and\n                    encryption software on a statistically valid, random sample of\n                    laptops.\n\n                    USCIS\xe2\x80\x99 laptop controls did not sufficiently safeguard its laptops\n                    from loss or theft and did not protect the data on the laptops from\n                    disclosure. Specifically, USCIS did not have an accurate and\n                    complete inventory of its laptops, nor were inventory data reported\n                    accurately and consistently in electronic databases. Additionally,\n                    many laptops were not assigned to specific users. USCIS also did\n                    not provide adequate physical security for its laptops. Finally, not\n                    all of USCIS\xe2\x80\x99 laptops were using the latest encryption software or\n                    operating systems and associated service packs.\n\n                    We are recommending that USCIS take steps to improve its laptop\n                    inventory and configuration management processes. Specifically,\n                    USCIS property custodians should enter laptop data consistently\n                    into its property management system, and record laptops provided\n                    to contractors as government-furnished equipment. Additionally,\n                    we are recommending that USCIS ensure that it has installed the\n                    latest operating systems and encryption software on its laptops.\n                    Our last recommendation is that USCIS develop procedures to\n                    ensure that users\xe2\x80\x99 laptops are connected to its network on a\n                    monthly basis so that software updates may be applied.\n\n\n\n\n        U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                           Page 1\n\x0cBackground\n                  USCIS has more than 18,000 employees and contractors working\n                  at 250 offices around the world. It uses laptop computers to help\n                  fulfill its mission of overseeing lawful immigration to the United\n                  States. Additionally, USCIS contractors are issued laptops as\n                  government-furnished equipment to access USCIS systems.\n\n                  The mobility of laptops increases workforce productivity.\n                  However, this same mobility increases the risk of theft and\n                  unauthorized data disclosure. The increased risk of theft of laptop\n                  computers is associated with both cost and security. For example,\n                  replacing the hardware and restoring the information is costly.\n                  Additionally, when laptops are stolen, there is a security risk of\n                  data disclosure.\n\n                  A USCIS property custodian takes possession of each incoming\n                  laptop and enters its information into the Department of Homeland\n                  Security\xe2\x80\x99s (DHS) Sunflower Asset Management System (SAMS),\n                  which USCIS uses to track and maintain its inventory electronically.\n                  The property custodian, using SAMS, then assigns the laptop to a\n                  USCIS employee or contractor. A USCIS Desktop Server\n                  Management employee customizes the laptop for that specific\n                  location, including manually entering the computer name into the\n                  laptop\xe2\x80\x99s system properties. This internal computer name includes\n                  the location and barcode number. As of October 20, 2011, USCIS\n                  had 6,659 laptops recorded in SAMS.\n\n                  USCIS has additional processes to safeguard its laptops. For\n                  example, USCIS performs an annual wall-to-wall, floor-to-ceiling\n                  inventory of its assets, including laptops, to verify the accuracy of\n                  data in SAMS. USCIS also uses configuration management\n                  software, Windows Server Update Services (WSUS), to provide\n                  laptops with authorized Microsoft systems and software updates.\n\n                  USCIS follows DHS policy for safeguarding laptops, found in\n                  DHS Sensitive Systems Policy Directive 4300A, Version 9.0,\n                  October 11, 2011 (Directive 4300A). Directive 4300A outlines\n                  policies for operational, technical, and management controls\n                  necessary to ensure confidentiality, integrity, availability,\n                  authenticity, and nonrepudiation in DHS\xe2\x80\x99 information technology\n                  infrastructure and operations.\n\n\n\n\n      U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                         Page 2\n\x0cResults of Audit\n     USCIS Needs To Improve Its Laptop Inventory Management\n     Process\n           USCIS did not have an accurate inventory of its laptops. Specifically,\n           property custodians did not consistently enter laptop data into the property\n           management system, and data in different systems did not always agree.\n           Furthermore, not all laptops were assigned to specific users, and USCIS\n           did not adequately track which laptops were provided to contractors.\n           Finally, USCIS did not enhance physical security controls by providing\n           cables and locks for laptops. These deficiencies increased the risk of loss\n           or theft of USCIS laptops.\n\n                   Inventory Is Inaccurate and Needs Updating\n\n                   USCIS uses SAMS to maintain its inventory of assets such as\n                   laptops. However, USCIS staff did not always adhere to published\n                   guidance when entering laptop information into SAMS, which led\n                   to inconsistent and unreliable information in the system. Without\n                   reliable information in SAMS, USCIS cannot locate all of its\n                   laptops, increasing the risk that they could be lost or stolen.\n\n                   The inconsistent laptop data entered in SAMS made it more\n                   difficult to determine a laptop\xe2\x80\x99s user and location. USCIS property\n                   custodians sometimes entered the user\xe2\x80\x99s name in other data fields,\n                   such as the \xe2\x80\x9cComment\xe2\x80\x9d field. During our site visit to one\n                   Washington, DC, facility, USCIS staff were not able to physically\n                   locate all the laptops that were listed in SAMS as being in that\n                   facility. For several of these laptops, the SAMS user name was\n                   \xe2\x80\x9cUnassigned.\xe2\x80\x9d\n\n                   Additionally, USCIS was unable to provide us with the number of\n                   laptops that had been provided initially to contractors as\n                   government-furnished equipment. Specifically, USCIS did not\n                   have a consistent method for identifying in SAMS which laptops\n                   were assigned to contractors. For example, some USCIS property\n                   custodians denoted the laptop as government-furnished equipment\n                   by entering the contractor\xe2\x80\x99s name in the \xe2\x80\x9cSteward\xe2\x80\x9d field.\n\n                   According to the USCIS Personal Property Management\n                   Instruction Handbook, USCIS IHB 119-002-01,\n\n                            Equipment purchased by the government for use by a\n                            contractor is normally received through the acquisition\n\n       U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                          Page 3\n\x0c                                     channels and maintained in their approved system of record\n                                     or as an agreement asset in SAMS.\n\n                            According to the USCIS Office of Information Technology (OIT)\n                            End User Services Division Personal Property Handbook,\n                            December 2010,\n\n                                     Ensure all OIT employees are entered into Sunflower as\n                                     users for accounting purposes.\n\n                                     GFE [government-furnished equipment] at a contractor site\n                                     shall be entered into SAMS in the \xe2\x80\x9cAgreement Module.\xe2\x80\x9d\n\n                            Without accurate and reliable information, USCIS could not\n                            always use SAMS data to alert specific users that their laptop\n                            software was out of date. Specifically, laptop barcode data in\n                            SAMS did not always match the barcode data in WSUS, the\n                            system USCIS uses to provide Microsoft-related software updates\n                            to laptops. For example, 2.79 percent of our random sample of\n                            laptops had a WSUS computer name that did not match the\n                            barcode, and 6.27 percent had nonstandard internal computer\n                            names. 1\n\n                            According to USCIS staff, the lack of consistency in data entry\n                            was partly the result of the manual process for updating SAMS.\n                            However, during our fieldwork, we were informed that USCIS had\n                            begun to use hand-held barcode scanners to increase the accuracy\n                            of the SAMS inventory.\n\n                            Physical Security Controls for Laptops Need Improvement\n\n                            The mobility of laptops increases the risk of theft, and thus raises\n                            the risk of data disclosure; however, USCIS did not guard against\n                            theft by providing locks and cables to enhance physical security.\n                            Specifically, according to USCIS staff, locks and cables are\n                            provided only if the laptop\xe2\x80\x99s user requests these safeguards.\n\n                            To prevent unauthorized individuals from removing laptops from\n                            unsecured facilities, USCIS should implement stronger physical\n                            security controls by issuing locking cables for its laptops.\n                            According to Directive 4300A,\n\n\n\n\n1\n    See appendix C, Statistical Analysis of USCIS Laptops.\n\n               U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                                   Page 4\n\x0c                     When unattended, laptop computers and other mobile\n                     computing devices shall be secured in locked offices,\n                     secured with a locking cable, or in a locked cabinet, or desk.\n\n    Recommendations\n            We recommend that the USCIS Chief Information Officer (CIO)\n\n            Recommendation #1: Ensure that laptop data are entered\n            consistently into the USCIS property management system.\n\n            Recommendation #2: Develop a consistent process to record\n            when laptops are initially provided as government-furnished\n            equipment.\n\n            Recommendation #3: Provide appropriate locks and cables for\n            laptops that may not be secured in locked offices, in a locked\n            cabinet, or desk when unattended.\n\n    Management Comments and OIG Analysis\n            We obtained written comments on a draft of this report from the\n            Director of USCIS. We have included a copy of the comments in\n            their entirety at appendix B. The Director of USCIS concurred\n            with all five recommendations.\n\n            Recommendation #1\n\n            USCIS concurs with this recommendation. Beginning in this fiscal\n            year, when verifying their annual inventory, USCIS Accountable\n            Property Officers must certify that all equipment is assigned to an\n            end user and all end users have signed receipts for all issued\n            property.\n\n            OIG Analysis\n\n            The actions being taken satisfy the intent of this recommendation.\n            This recommendation is considered resolved, but will remain open\n            until USCIS provides documentation to support that the planned\n            corrective actions are completed.\n\n            Recommendation #2\n\n            USCIS concurs with this recommendation. USCIS will review\n            agency policies and procedures governing the management of\n            government-furnished equipment; ensure that all agency contracts\n\nU.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                   Page 5\n\x0c                    include proper government-furnished equipment language; and\n                    standardize the process for recording, maintaining, reporting, and\n                    retrieving government-furnished equipment in accordance with\n                    Federal and Department standards.\n\n                    OIG Analysis\n\n                    The actions being taken satisfy the intent of this recommendation.\n                    This recommendation is considered resolved, but will remain open\n                    until USCIS provides documentation to support that the planned\n                    corrective actions are completed.\n\n                    Recommendation #3\n\n                    USCIS concurs with this recommendation. USCIS will update\n                    current policies and instructions to specifically address laptop\n                    security, including the use of a lock and cable system when\n                    appropriate.\n\n                    OIG Analysis\n\n                    The actions being taken satisfy the intent of this recommendation.\n                    This recommendation is considered resolved, but will remain open\n                    until USCIS provides documentation to support that the planned\n                    corrective actions are completed.\n\n\nUSCIS Needs To Improve Its Laptop Configuration Management\nProcess\n            The USCIS configuration management process for providing software\n            upgrades to its laptop computers needs improvement. Not all USCIS\n            laptops had the latest encryption software, operating systems, or service\n            packs. Furthermore, not all laptops received technical updates in a 30-day\n            period. These deficiencies increased the risk that identified laptop\n            vulnerabilities would not be resolved in a timely manner.\n\n                    Encryption Software\n\n                    The data on USCIS laptops were not always secured with the latest\n                    encryption software. In our random sample of 287 laptops shown\n                    in table 1, 8 percent were running older releases of the encryption\n                    software, and 4.5 percent either did not have encryption software\n                    installed or had inactive encryption software.\n\n\n\n        U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                           Page 6\n\x0c            Table 1: Encryption Software Installed on Randomly Selected\n            Laptops\n\n             Encryption Version          Number of            Sample\n                                         Laptops              Percentage\n             Laptops with older                23                  8.01%\n             versions of\n             encryption software\n             Laptops with latest                149                51.92%\n             version of encryption\n             software\n             Not active/None                     13                 4.53%\n             Unknown*                           102                35.54%\n             Total                              287                 100%\n            *USCIS did not provide encryption software information for laptops in storage,\n            those that had not been assigned to staff, and those that were excessed or\n            planned to be excessed.\n\n            According to USCIS staff, there were two situations where, by\n            design, the standard USCIS encryption software was not active on\n            the laptops: laptops used for classified processing and laptops used\n            for training. USCIS staff noted that classified laptops do not use\n            the standard encryption software, but rather the laptops used for\n            classified processing conform to the rules of the classified system.\n\n            When encryption software was running on training laptops, if a\n            user rebooted, someone would need to be called to log in past\n            encryption before the class could continue. According to USCIS\n            staff, the training laptops do not need to be encrypted because they\n            do not leave DHS facilities.\n\n            According to Directive 4300A,\n\n                     Information stored on any laptop computer or other mobile\n                     computing device that may be used in a residence or on\n                     travel shall use encryption.\xe2\x80\xa6\n\n            Laptop computers that are not running the most recent encryption\n            software might not be adequately protecting the security and\n            privacy of USCIS data, potentially putting data confidentiality,\n            integrity, and availability at risk.\n\n            Operating Systems and Associated Service Packs\n\n            Not all USCIS laptops were running the latest operating systems\n            with the most up-to-date service packs. Table 2 indicates that\n\nU.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                   Page 7\n\x0c            4 percent of the laptops in our random sample were not running the\n            latest release of the operating system and service pack.\n\n            Table 2: Operating Systems Installed on Randomly Selected\n            Laptops\n\n              Operating System and            Number of            Sample\n              Service Pack                    Laptops              Percentage\n              Older release                         12                  4.18%\n              Latest release                       173                 60.28%\n              Unknown*                             102                 35.54%\n              Total                                287                  100%\n            *USCIS did not provide operating system information for laptops in storage,\n            those that had not yet been assigned to staff, or those that were either excessed\n            or planned to be excessed.\n\n            According to Directive 4300A,\n\n                     Components shall manage systems to reduce vulnerabilities\n                     through vulnerability testing and management, promptly\n                     installing patches, and eliminating or disabling unnecessary\n                     services.\n\n            According to USCIS staff, when an unassigned laptop was\n            assigned to a new user, USCIS provided that laptop with the latest\n            approved operating system and service pack. However, USCIS\n            was not adequately managing the automated software updates to\n            ensure that the laptops in use were running the latest release of\n            Microsoft Windows products. For example, USCIS used WSUS to\n            provide Windows-related updates to its laptops, but did not use\n            WSUS to upgrade operating systems or install associated service\n            packs.\n\n            Furthermore, not all laptops received WSUS monthly updates,\n            even though USCIS policy requires these updates. According to\n            the USCIS Rules of Behavior that all users sign when issued a\n            laptop, USCIS staff are required to connect their USCIS laptop\n            computers to the USCIS network at least every 30 days to receive\n            patches and antivirus updates. Laptop computers without the latest\n            operating systems and associated service packs are at increased\n            risk of malware due to inherent and unpatched vulnerabilities\n            associated with the older system software. However, WSUS\n            reports showed that only 2,530 laptops had been attached to the\n            network in the previous 30 days. During the same period, the\n            USCIS property management system contained an inventory of\n            6,659 laptops.\n\nU.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                    Page 8\n\x0c    Recommendations\n            We recommend that the USCIS CIO:\n\n            Recommendation #4: Ensure that USCIS configuration\n            management software and processes enable the updating of\n            laptops\xe2\x80\x99 operating systems and encryption software with the latest\n            releases.\n\n            Recommendation #5: Develop procedures to ensure that USCIS\n            assigned laptops are connected to its network for system and\n            software updates on a monthly basis.\n\n    Management Comments and OIG Analysis\n            We obtained written comments on a draft of this report from the\n            Director of USCIS. We have included a copy of the comments in\n            their entirety at appendix B. The Director of USCIS concurred\n            with all five recommendations.\n\n            Recommendation #4\n\n            USCIS concurs with this recommendation. USCIS will update its\n            configuration management policies, procedures, and processes.\n            USCIS also will develop a process to update non-networking\n            laptops manually. Additionally, USCIS will update its procedures\n            for naming laptops and will ensure that laptops are updated with\n            the new name when they are turned in for reuse.\n\n            OIG Analysis\n\n            The actions being taken satisfy the intent of this recommendation.\n            This recommendation is considered resolved, but will remain open\n            until USCIS provides documentation to support that the planned\n            corrective actions are completed.\n\n            Recommendation #5\n\n            USCIS concurs with this recommendation. USCIS will develop a\n            process to identify which laptops are configured to be connected to\n            the network. Also, USCIS will ensure that these laptops\n            automatically receive updates every month. For laptops not\n            configured to be used on the network, USCIS will develop\n            procedures to update those laptops manually. USCIS will also\n\n\nU.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                   Page 9\n\x0c            increase its communications to USCIS personnel concerning their\n            responsibilities for properly maintaining their laptops.\n\n            OIG Analysis\n\n            The actions being taken satisfy the intent of this recommendation.\n            This recommendation is considered resolved, but will remain open\n            until USCIS provides documentation to support that the planned\n            corrective actions are completed.\n\n\n\n\nU.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                   Page 10\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                       The objective of our audit was to determine whether USCIS has\n                       implemented an effective program to protect the security and\n                       integrity of its laptop computers. Specifically, we\xe2\x80\x94\n\n                                Determined whether the current process that USCIS has in\n                                place to maintain its inventory of laptops is adequate;\n\n                                Determined whether USCIS\xe2\x80\x99 current process of updating\n                                laptop images and security patches is adequate;\n\n                                Determined whether USCIS has a process to protect\n                                personally identifiable information stored on laptops; and\n\n                                Assessed whether USCIS follows appropriate procedures\n                                and takes appropriate corrective actions to address\n                                decommissioned, damaged, excessed, lost, or stolen\n                                laptops.\n\n                       Our audit focused on the requirements outlined in Directive\n                       4300A. We also reviewed component-specific guidance, including\n                       USCIS Personal Property Management Handbook, USCIS\n                       Personal Property Physical Inventory Guidance, USCIS\n                       Management Directive 144-001 Board of Survey, and the USCIS\n                       Rules of Behavior for users of Federal Government information\n                       technology resources.\n\n                       We interviewed USCIS personnel, including property custodians,\n                       information technology specialists, personal property managers,\n                       and contractors. We also conducted a site visit of the contractor\xe2\x80\x99s\n                       New Jersey facility where USCIS laptops are received, configured,\n                       and then shipped to staff. Additionally, we performed site visits at\n                       two USCIS facilities in Washington, DC, to observe laptops at\n                       those locations. We also conducted a laptop sample to verify host\n                       names, operating systems, service packs, and encryption versions.\n\n                       Our previous laptop security audits included onsite visits and the\n                       technical scanning of selected laptops.2 However, our planning for\n                       this audit emphasized minimizing our impact on USCIS while\n                       expanding our scope to include a more representative sample of\n                       laptops. To that end, we selected a random sample of laptops from\n                       USCIS\xe2\x80\x99 complete laptop inventory. We then requested that USCIS\n                       staff provide screen prints from this sample showing each laptop\xe2\x80\x99s\n\n\n2\n Improved Administration Can Enhance Federal Emergency Management Agency Laptop Computer\nSecurity (Redacted), OIG-07-50, June 2007.\n\n           U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                              Page 11\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                     operating system information, computer name, and encryption\n                     software.\n\n                     This methodology was intended to minimize the impact on users,\n                     but it had a greater impact on USCIS property custodians. For\n                     example, rather than focusing on the laptops in a few facilities, we\n                     requested information on laptops throughout USCIS\xe2\x80\x99 worldwide\n                     operations. This request required action from more property\n                     custodians. Additionally, several property custodians had to\n                     perform extra work, including tracking down the requested laptop\n                     and providing support to produce the screen prints. We are very\n                     appreciative of the work that USCIS staff performed to provide the\n                     requested information for this effort.\n\n                     We conducted this audit between September 2011 and\n                     February 2012 pursuant to the Inspector General Act of 1978, as\n                     amended, and according to generally accepted government\n                     auditing standards. Those standards require that we plan and\n                     perform the audit to obtain sufficient, appropriate evidence to\n                     provide a reasonable basis for our findings and conclusions based\n                     upon our audit objectives. We believe that the evidence obtained\n                     provides a reasonable basis for our findings and conclusions based\n                     upon our audit objectives. We gave briefings and presentations to\n                     DHS staff concerning the results of our fieldwork and the\n                     information summarized in this report.\n\n                     We appreciate the efforts of USCIS management and staff to\n                     provide the information and access necessary to accomplish this\n                     review. The principal OIG points of contact for the audit are Frank\n                     Deffer, Assistant Inspector General for Information Technology\n                     Audits, (202) 254-4100, and Sharon Huiswoud, Director,\n                     Information Systems Division, (202) 254-5451. Major OIG\n                     contributors to the audit are identified in appendix D.\n\n\n\n\n         U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                            Page 12\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                                             u.s. D~p. rtmtnl of lIom~l .od .xcurlly\n                                                                             U.S. Citizenship and Immianllion Scmces\n                                                                             Offi~ol\'hf\'\n                                                                                       Dif\'f\'Ctor(MS 2000)\n                                                                             Wuhi"BIon. OC 20529\xc2\xb72000\n                                                                             U.S. Citizenship\n                                                                             and Immigration\n                                                                             Services\n         AP1l 18   10~\n\n\n         Memorandum\n         TO:\n\n\n         FROM:\n                         Frank DefTer\n\n\n                         Alejandro N. Mayorkasfh(\\ ~\n                         Director               (\'S \\\n                                                  ~\n                                                       r\n                         Assistant Inspector Genera[, Info   tio   echno[ogy Audits\n\n\n\n\n         SUBJECT:        U.S. Citizenship and Immigration Services (USCIS) Response to Office of\n                         Inspector General (OIG) Draft Report OIG-I I-030: USC/S\'s Laptop Safeguards\n                         Need Improvements\n\n         USCIS appreciates the opportunity to review and comment on the subject report and generally\n         agrees with the OrG summary ofthe issues identified in the feport.\n\n         The Department of Homeland Security (DOS) - OIG recommends that the USCIS Chief\n         Information Officer (CIO):\n\n         Recommendation I: Ensure that laptop data are entered co nsistenUy into the USCIS\n         property management system.\n\n         USCIS response: uscrs concurs with thi s recommendation. The Office of Administration\n         (ADMIN) identi fi ed this issue during the Fiscal Year 2011 (FYI I) inventory and implemented a\n         policy change for the FY 12 inventory and beyond. Beginning this fiscal year, when verifying\n         their annual inventory accuracy, Accountab le Property Officers must certify that:\n         \xe2\x80\xa2 All equipment.is assigned to an end user; and\n         \xe2\x80\xa2 All users have signed user receipts for all issued personal property.\n\n         ADMIN will monitor compliance during annual inventory reconciliations and during site visits.\n         All uscrs Directorates and Program Offices will fo llow the policies and guide lines stipulated in\n         the USCIS Personal Property Managemenllnstmction Hmzdbook, USCIS IHB 119-002-01.\n\n         Target completion date: September 3D, 20 12\n\n         Recommendation 2: Develop a consistent process to record when laptops are initially\n         provided as government-furnished equipment (GFE).\n\n         USCIS response : USCIS concurs with this recommendation. The Office of Contracting,\n         ADMIN, and Office of Information Technology (OrT) will work together to review agency\n         policies and procedures governing the management of GFE and ensure that all agency contracts\n\n\n\n                                                                                                   www.uscls.gov\n\n\n\n\n         U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n\n                                                     Page 13\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n         USCIS Response to Draft Report 0IG-11 -030: USC/S\'s Laptop Safeguards Need Improvements\n         Page 2\n\n         include the proper GFE contract language as necessary. In addition, these offices will\n         standardize the process for recording, maintaining, reporting, and retrieving GFE in accordance\n         with Federal and Department standards.\n\n         Target Completion Date: December 31,2012\n\n         Reco mm end a tion 3: Provid e appropri ate locks a nd cables for lap tops tha t may not be\n         secured in locked offi ces, in a locked cabinet, or d esk when unattended .\n\n         USC] S r esponse: USC IS concurs with this recommendation. uscrs has established policies\n         concerning the physical protection of laptops. USCIS Management Directive 123-001.1 ,\n         TelelVork Program, Appendix A, Section VIn, paragraph G.3 requires employees to store\n         sensitive personal property under lock and key with sufficient access control measures such as in\n         a locked room, desk drawer, safe, or file cabinet to afford adequate protection against\n         unauthorized access. USClS Fonn 0-1129, Telework Program Application and Agreement,\n         requires employees to acknowledge this requirement in writing. Additionally, the USCIS Rules\n         of Behavior require employees to protect equipment under their control and outlines\n         requirements for safeguarding equipment when in airports, hotel rooms, and when leaving it in a\n         car. These requirements must be acknowledged in writing.\n\n         Each USCIS Directorate and Program Office uses their own standard supply procedures to allow\n         their users to purchase locks and cables for their laptops (via Purchase Card or DHS Fonn 150 I).\n         It is up to the individual user to detennine his or her need for extra physical security measures\n         when using their laptop in unsecured facilities.\n\n         ADMIN, OIT, and the Office of Human Capital and Training will update current policies and\n         instructions to specifically address laptop security, including the use ofa lock and cable system\n         where stronger security methods, as outlined above, cannot be met.\n\n         Target Completion Date: September 30, 2012\n\n         Recomm end a ti on 4 : E nsure th at USCIS co nfigu r ation ma n agement sortwa r e a nd processes\n         enable th e upd atin g of la ptops\' op er ating systems a nd encryption software with the latest\n         releases.\n\n         USCI S r esponse: USC IS concurs with this recommendation. on will update its configuration\n         management policies, procedures, and processes to enhance accountability of laptop operating\n         system and encryption software versioning. OIT has tools in place that automatically push\n         updates to a laptop once it is connected to the network. For laptops that are used for non-\n         networking purposes, OIT will develop a process to ensure that these laptops are updated\n         manually frequently.\n\n         OIT will update its procedures concerning DHS naming scheme to comply with DHS standards\n         and ensure laptops are updated with the new naming scheme as they are turned in for reuse.\n\n\n\n\n         U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n\n                                                    Page 14\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n         USClS Response to Draft Report 010-11-030: USC/S\'s Laptop Safeguard.s Need lmp/"Ovemenfs\n         Page 3\n\n\n         Additionally, OIT will update the USCIS Rules of Behavior to stipulate the software update\n         requirements for both networked and non-networked laptops.\n\n         Target Completion Date: April 30, 2013\n\n         Recommendation 5: Develop procedure;o; to ensu re that users laptops are connected to its\n         network for system and softwa rc updatcs on a monthly basis.\n\n         USCIS response: USCIS concurs with this recommendation. OIT w ill develop a process to\n         identify which laptops have been configured to receive automatic system updates when they are\n         connected to the network and ensure that they are connected monthly. For laptops not\n         confi gured to be used on the network, OTT will develop procedures to update the laptops\n         manually. In addition, on will increase its communications to USCIS personnel on their roles\n         and responsibilities and available resources to assist w ith properly maintaining their laptops.\n\n         Target Completion Date; April 30, 20 13\n\n\n\n\n         U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n\n                                                    Page 15\n\n\x0cAppendix C\nStatistical Analysis of USCIS Laptops\n\n                           Given a population size of 6,659 laptops, a 95 percent confidence\n                           interval, a 5 percent sampling error, and a 50 percent population\n                           proportion, a random selection sample would need to include 363\n                           laptops. We used IDEA software to randomly select 363 laptops\n                           from USCIS\xe2\x80\x99 October 2011 inventory of 6,659 laptops. Laptops\n                           selected were in the United States as well as in other countries.\n                           Some laptops were classified, some were being used by contractors,\n                           some were used for training purposes, and some were unassigned.\n                           We received sample responses for 287 USCIS laptops. Although\n                           the response did not include all 363 requested laptops, the 287\n                           responses exceeded a lower but still statistically valid sample size\n                           of 261 laptops. 3\n\n                           Based on these responses from our random sample, we are able to\n                           infer the following characteristics of the total USCIS laptop\n                           population (see table 3).\n\n                          Table 3: Characteristics of the USCIS Laptop Population\n                                                   Random       Percentage Applied\n                        Laptop                     Sample       to USCIS Population\n                                                   Percentage   of 6,659 Laptops\n                        WSUS computer name            2.79%              185\n                        with wrong barcode\n                        Nonstandard WSUS              6.27%              417\n                        computer name\n                        Wrong SAMS barcode            0.35%               23\n                        Unassigned laptops           19.16%             1,276\n                        Laptops with older            8.01%              533\n                        versions of encryption\n                        software\n                        Encryption not active or      4.53%              301\n                        not installed\n                        Older release of operating    4.18%              278\n                        system or service pack\n\n\n\n\n3\n  Given a population size of 6,659 laptops, a 90 percent confidence interval, a 5 percent sampling error, and\na 50 percent population proportion, a random sample would total 261 laptops.\n\n             U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n\n                                                  Page 16\n\n\x0cAppendix D\nMajor Contributors to this Report\n\n                      Sharon Huiswoud, Director\n                      Kevin Burke, Supervisory Auditor\n                      Pamela Chambliss-Williams, Senior Program Analyst\n                      Charles Twitty, Senior Auditor\n                      Matthew Worner, Senior Auditor\n                      M. Faizul Islam, Economist/Statistician\n                      Robert Durst, Referencer\n\n\n\n\n          U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n                                             Page 17\n\x0cAppendix E\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Director of USCIS\n                      USCIS Audit Liaison\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n          U.S. Citizenship and Immigration Services\xe2\x80\x99 Laptop Safeguards Need Improvements\n\n\n                                             Page 18\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'